<p>Creating APIs without authentication unnecessarily increases the attack surface on the target infrastructure.</p>
<p>Unless another authentication method is used, attackers have the opportunity to attempt attacks against the underlying API.<br> This means attacks
both on the functionality provided by the API and its infrastructure.</p>
<h2>Ask Yourself Whether</h2>
<ul>
  <li> The underlying API exposes all of its contents to any anonymous Internet user. </li>
</ul>
<p>There is a risk if you answered yes to this question.</p>
<h2>Recommended Secure Coding Practices</h2>
<p>In general, prefer limiting API access to a specific set of people or entities.</p>
<p>AWS provides multiple methods to do so:</p>
<ul>
  <li> <code>AWS_IAM</code>, to use standard AWS IAM roles and policies. </li>
  <li> <code>COGNITO_USER_POOLS</code>, to use customizable OpenID Connect (OIDC) identity providers (IdP). </li>
  <li> <code>CUSTOM</code>, to use an AWS-independant OIDC provider, glued to the infrastructure with a Lambda authorizer. </li>
</ul>
<h2>Sensitive Code Example</h2>
<p>For <a href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.Resource.html">aws-cdk-lib.aws_apigateway.Resource</a>:</p>
<pre>
import {aws_apigateway as apigateway} from "aws-cdk-lib"

const resource = api.root.addResource("example")
resource.addMethod(
    "GET",
    new apigateway.HttpIntegration("https://example.org"),
    {
        authorizationType: apigateway.AuthorizationType.NONE // Sensitive
    }
)
</pre>
<p>For <a href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigatewayv2.CfnRoute.html">aws-cdk-lib.aws_apigatewayv2.CfnRoute</a>:</p>
<pre>
import {aws_apigatewayv2 as apigateway} from "aws-cdk-lib"

new apigateway.CfnRoute(this, "no-auth", {
    apiId: api.ref,
    routeKey: "GET /no-auth",
    authorizationType: "NONE", // Sensitive
    target: exampleIntegration
})
</pre>
<h2>Compliant Solution</h2>
<p>For <a href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.Resource.html">aws-cdk-lib.aws_apigateway.Resource</a>:</p>
<pre>
import {aws_apigateway as apigateway} from "aws-cdk-lib"

const resource = api.root.addResource("example",{
    defaultMethodOptions:{
        authorizationType: apigateway.AuthorizationType.IAM
    }
})
resource.addMethod(
    "POST",
    new apigateway.HttpIntegration("https://example.org"),
    {
        authorizationType: apigateway.AuthorizationType.IAM
    }
)
resource.addMethod(  // authorizationType is inherited from the Resource's configured defaultMethodOptions
    "GET"
)
</pre>
<p>For <a href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigatewayv2.CfnRoute.html">aws-cdk-lib.aws_apigatewayv2.CfnRoute</a>:</p>
<pre>
import {aws_apigatewayv2 as apigateway} from "aws-cdk-lib"

new apigateway.CfnRoute(this, "auth", {
    apiId: api.ref,
    routeKey: "POST /auth",
    authorizationType: "AWS_IAM",
    target: exampleIntegration
})
</pre>
<h2>See</h2>
<ul>
  <li> <a href="https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-to-api.html">AWS Documentation</a> -
  Controlling and managing access to a REST API in API Gateway </li>
  <li> CWE - <a href="https://cwe.mitre.org/data/definitions/284">CWE-284 - Improper Access Control</a> </li>
  <li> STIG Viewer - <a href="https://stigviewer.com/stigs/application_security_and_development/2024-12-06/finding/V-222620">Application Security and
  Development: V-222620</a> - Application web servers must be on a separate network segment from the application and database servers. </li>
</ul>
